Skip to content

Instantly share code, notes, and snippets.

@nvahalik

nvahalik/dpp.md

Last active August 10, 2018 14:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nvahalik/a719c77b47b3a748698a6323bc308c65 to your computer and use it in GitHub Desktop.
Save nvahalik/a719c77b47b3a748698a6323bc308c65 to your computer and use it in GitHub Desktop.
Download ZIP
A basic data protection policy for sub/contractors
Raw
dpp.md

Background

We've been trying to codify some ways to convey to people what we do and what we expect them to do regarding how they manage and handle customer-related data. Curious on any thoughts or feedback anyone might have. This is the first draft!

Data Protection Policy

As a contractor for the Company, you agree to undertake the following in the daily course of business:

  • Take all necessary measures to ensure that any source code, client-related data, secrets, etc. will remain in secure storage while they are being worked on.
  • Promptly remove any and all assets for a client in the event of a project becoming terminated or a lapse in work for a client for a period of 6 weeks. This includes and all backups of all client-related data.
  • Encrypt all backups or you will exclude from backups all source code, databases, and assets for each client.
  • Utilize 2FA for services which provide them (e.g. Github).

In order to protect the Client, you agree to immediately alert the Company in any of these events:

  • Any breach or potential breach of confidential information, including but not limited to: loss or theft of hard drives, backups, USB drives, laptops, computers which contain source code, assets, or databases related to client work, password managers, and unprotected (i.e. passwordless) SSH keys used to access servers.
  • Upon discovery of unsafe or potentially liable situations including but not limited to: public availability of private keys, assets, or passwords, source code, configuration files, databases, database dumps, or any other proprietary or private information or customer-related PII.
  • Any employee departure along with the employee’s SSH keys or hashes, email addresses, related logins and credentials which must be disabled or reset.

Likewise, the Company agrees to:

  • Provide training and resources for the enabling of developers to access and understand best practices.
  • Provide, free of charge and without compensation, time for training of key staff and persons managing developers and developer-related hardware.
  • Work with the client to ensure that best practices are managed from the top of the project down to developers.
  • Alert the contractor(s) to any changes or deviations from this agreement.
  • Inform the client of the above in order to ensure that they understand this agreement and assent to what it says.
  • Attempt to provide resources from the client which limit the exposure and liability of both the client and of the contractor to potential harm or breeches of confidential information.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment